API Keys
All Enterprise API requests are authenticated with an API key in theAuthorization header:
avoca_<64 hex characters> — the avoca_ prefix followed by a cryptographically random hex token. Keys are stored hashed; treat them like passwords and never commit them to source control.
Obtaining API Keys
API keys are managed in the Avoca dashboard:- Team-level keys:
Settings → API Keyson your team (/team/[slug]/settings/api-keys) - Enterprise-level keys:
Settings → API Keyson your enterprise (/enterprise/[slug]/settings/api-keys)
Key Types
| Type | Access | Team scoping |
|---|---|---|
enterprise | Single team | Locked to one team; no x-team-id header needed |
enterprise_all_teams | All teams in the enterprise | v0 endpoints require x-team-id header or team_id query param (except GET /api/teams); v1 endpoints take the team ID in the URL path |
portfolio_all_teams | All teams in a portfolio (can span enterprises) | Same scoping rules as enterprise_all_teams; not valid for enterprise-scoped routes like /api/v1/enterprise/... |
Permissions
Each key is configured with permission scopes controlling which endpoints it can call. Calling an endpoint without the required permission returns403 Forbidden.
| Permission | Grants access to |
|---|---|
read:calls | Call records, metadata, and pre-call transfers |
read:transcripts | Call transcripts |
read:leads | Unified leads (v0) and the canonical leads feed (v1) |
read:teams | Listing accessible teams (multi-team keys) |
read:coach | Coach call evaluations, scores, and rubrics |
read:scheduler_analytics | Simple Scheduler analytics, sessions, bookings, booking requests, and scheduler configs |
read:outbound | Outbound texting feeds (campaign texts and subscription events) |
Multi-team Behavior
- Cross-team v1 endpoints (
/api/v1/sessions,/api/v1/bookings,/api/v1/analytics/funnel) aggregate across all teams the key can access, with an optionalteam_idquery filter. - Enterprise-scoped routes (
/api/v1/enterprise/:enterpriseId/...) require anenterprise_all_teamskey whose enterprise matches the path. - Designated internal QA/test teams are excluded from multi-team aggregations by default; pass
include_test_teams=trueto include them. Explicitly team-addressed requests are never filtered.